Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Tal Cohen, author of a number of book reviews in his own right, has sent over a review of Bruce Schneier's Applied Cryptography, 2nd Edition. One of the best introductions to the field of cryptography this is a book well worth reading, even for those who simply want a better understanding of the potentials about cryptography, and what it's all about.

A fantastic introduction and a handy reference on one of computer science's most interesting fields.

More than any other field in computer science, cryptography is associated
with computer warfare. Recent international treaties define cryptographic
algorithms as weapons, and the laws of many countries prohibit either the
development, the usage, or the export of cryptographic algorithms. Yet while
feared by governments, cryptography is one of the most fascinating -- and useful
-- fields of algorithmics.

The whole point of cryptography is to solve
problems. (Actually, that's the whole point of computers --
something many peopletend to forget.) Cryptography solves problems
that involve secrecy, authentication, integrity, and dishonest
people. You can learn all about cryptographic algorithms and
techniques, but these are academic unless they can solve a
problem.

Bruce Schneier's Applied Cryptography, in its second edition, is
probably the best introduction to the field. Schneier is not merely an excellent
technical writer, but also a researcherin the field; for example, he developed
the public-domain Blowfish encryption algorithm. But unlike many works by other
researchers, Schneier's work does not read like a dry paper for a scientific
journal. His writing is very enjoyable (though the jokes are overdone at times)
and his explanations are almost always lucid.

Breaking a plate is a good example of a
one-way function. It is easy to smash a plate into a thousand tiny
pieces. However, it's not easy to put all those tiny pieces back
together into a plate. [...]

So, what good are one-way functions? We can't use them for
encryption as is. A message encrypted with the one-way function
isn't useful; no one could decrypt it. (Exercise: Write a message of
a plate, smash the plate into bits, and then give the bits to a
friend. Ask your friend to read the message. Observe how impressed
he is with the one-way function.) For public-key cryptography, we
need something else.

Generally, the book covers four main subjects: protocols, algorithms, source
code (in C), and politics. As the title indicates, the book is intended to
people who actually wish to apply cryptographic methods to their
programs, and so the theoretical discussions and mostly at introductory level -
sufficient to make you understand how an algorithm works and what are its
benefits and potential weaknesses, but without elaborate mathematical proofs,
for example.

Part II, "Cryptographic Techniques", deals with such issues
as key length, key management, and methods of employing algorithms. The longest
section, Part III, spans 13 chapters -- "Cryptographic
Algorithms". The algorithms covered include DES and its variants,Skipjack, Lucifer, LOKI, RC2, RC4, RC5 (that's the cow in your tray-bin!), IDEA
Blowfish, RSA and many others. The greatest detail is given to the venerable old
DES, but the information about other protocols (over 50 in all, including blockDES, but the information about other protocols (over 50 in all, including block
ciphers, stream ciphers, random-sequence generators, one-way hash functions,
public key algorithms, and more) is sufficiently detailed for you to decide
which best suites your needs. And if you need more information, an outstandingl$
detailed list of over 1,600 references is included.

As in most texts about cryptography, protocols and algorithms are described
using the merry cast of Alice (side A), Bob (side B), Eve the eavesdropper,
Mallory the malicious attacker, and their other friends and foes. This makes
descriptions much easier, since once you get used to these Dramatis Personae
(which happens rather quickly), you immediately know who plays what role in each
scene, without wasting time on repeated explanations. Schneier brings those
characters to life in numerous examples of the pros and cons of various
approaches.

Part IV, "The Real World", deals with two subjects: sample
implementations in actual products, and politics, including history and legal
issues. The history of cryptography is much longer than that of computer
science: from secret codes to invisible inks, encoded messages were here for a
very long time indeed. On the other hand, cracking cryptographic codes was among
the earliest uses of computers, back in WWII (as anyone familiar with the story
of Alan Turing knows).

One section in chapter 25 lists the import and export limitations on
cryptography in different places around the globe. The most interesting entry is
for my own country, Israel, which (according to Schneier) "has import
restrictions, but no one seems to know what they are."

The final section, "Source Code", includes over 50 pages of
sources in C for several algorithms: DES, LOKI91, IDEA, GOST, Blowfish, 3-Way,
RC5, A5 and SEAL. It looks insane that a book with so many lines of source is
not accompanied by a CD; but then you realize that what's insane is not the boo$
but export laws, which allow cryptographic algorithms to be distributed in prin$
-- but not on electronic media. Consider, for example, how Phil Zimmermann's PG$
was legally exported from the US to the rest of the world: the sources were
printed in a one-copy book, which was mailed to Europe, scanned in and
recompiled.

If you live in the States, you can order a set of 3 floppies directly from
Schneier, with sources for most of the algorithms discussed in the book (and
more).

I have the first edition of this book, and I felt it was really good...have been meaning to get the second edition for awhile, but haven't got around to it yet.

IMHO, some reasons why Schneier spends so much time dissecting DES are:

It's one of the most popular crypto algorithms in the world, despite its mediocre key length (and 3DES can help that).

It's really rather well designed for its day; it shows you the kind of skull sweat that goes into crypto algorithm design.

As a result of (2), many of its design features are common to other algorithms, including many of the current AES candidates. Understanding this one can give you a handle on understanding a lot more of them.

I never took the crypto course in my CS curriculum in college, but this book made me wish I had.

I got a copy last week and I'm very impressed. It's sometimes a little long-winded, and for its size, it's maybe a little short on the "Here is DES. This is how is works. This is why is works." that I was looking for, but it's definitely a very worthwhile book.

If anyone has the sources and is willing to become an international arms dealer, could they please email me? I'd rather not have to type in all that stuff..:-)

I have to agree that Applied Cryptography is a very good book, but it does not contain everything there is to know about writing safe crypto applications. The "Handbook of Applied Cryptography" is a more thorough treatise. For more specific stuff look on www.counterpane.com, they've got a huge online literature list.

This is a solid book, and a definate must ahve for a foundation library. What I wondered was, does anyone familar with the subject have a reccomendation for books or resources on hybrid encryption schemes?

I've got the second edition here on my desk, in paperback form. I purchased it while still in college (I graduated May'98, probably purchased the book about a year prior). The only copyright date on the inside is listed as 1996.